[PATCH] tcp-wrappers support extended to x11 forwards

Dan Astoorian djast at cs.toronto.edu
Wed Dec 5 08:18:33 EST 2001


On Fri, 30 Nov 2001 08:48:48 EST, Ed Phillips writes:
> 
> On a side note, I recently reported a bug (and received no response)
> that is relevent to the above.  If a hacker were actually trying to use
> random cookies from SystemC to diplay on SystemA through SystemB... there
> is a bug in ssh/sshd were they hang around instead of exiting when you log
> out - and in this scenario, the bug allows the hacker to keep trying
> cookies forever or until you explicitly kill ssh/sshd.  The bug itself
> seems to cause ssh/sshd to hang instead of exiting.  I also submitted the
> exact details on how to reproduce the bug.  That was weeks ago...

I haven't seen any further mention of that bug here either.  The bug is
still present (as of 3.0.2p1).

The bug occurs anytime an X connection is rejected (e.g., "X11
connection uses different authentication protocol" or "X11 auth data
does not match fake data").

When this occurs, the TCP connection to the X client is never closed,
and the session is never cleaned up.

I believe that in channels.c, the code in the "else if (ret == -1)" case
in channel_pre_x11_open(), which calls chan_read_failed(c) and
chan_write_failed(c), is insufficient; this puts the input into the
"drain" state, but never actually permits it to close.

The patch below seems to correct the problem.  Note the difference for
protocol version 1 vs. v2.  Someone more familiar with the code than
myself should verify that the patch makes sense, and that there's not a
more elegant fix.

========================================================================
--- channels.c.orig Thu Oct 11 21:35:05 2001
+++ channels.c  Tue Dec  4 16:12:01 2001
@@ -872,7 +872,9 @@
        } else if (ret == -1) {
                debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
                chan_read_failed(c);    /** force close? */
-               chan_write_failed(c);
+               chan_ibuf_empty(c);
+               if (compat20)
+                       chan_write_failed(c);
                debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
        }
 }
========================================================================

Cheers,

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican



More information about the openssh-unix-dev mailing list